Security

A posture, written down.

Reporting is about numbers that matter. The platform underneath is designed like the platform you would expect. Encrypted at rest. Encrypted in transit. Scoped by default. Audited for every action.

Start free See pricing

Trust · plan coverage

ControlStarterProAgency

Encryption at restIn placeIn placeIn place

Encryption in transitTLSTLS · HSTSTLS · HSTS

Google sign in

Audit export·CSVCSV · JSON

Webhook events·

Workspace isolation

What ships today

The controls in place now.

Control

In place

How

Encryption at rest

✓

Provided by our managed database and object storage

Encryption in transit

✓

TLS on every endpoint, HSTS enforced

Read only OAuth scopes

✓

Smallest scope that still reads your numbers

Workspace isolation

✓

Row level scoping on every query

Scoped API keys

✓

Shown once, hashed at rest, rotate any time

Signed webhooks

✓

HMAC signature header on every event

Audit trail

✓

Every mutation is recorded with actor and payload

Google sign in

✓

Available on every plan

TLS

In transit

At rest

Encrypted storage

Scoped

Per workspace

Logged

Every action

Audit log

TimeEventObjectActor

08:14:22approval.grantedMarch Investor UpdateAva · owner

08:12:06ai.generatedraft v3Donum AI · model v4

08:08:44edit.blockhighlights narrativeLiam · editor

08:00:01schedule.triggerworkflow wf_investor_monthlyScheduler

07:59:57source.refreshstripe · hubspot · ga4System

07:42:11delivery.sentrecipient ava@acme.vcNotifier

The audit log is not a bolt on. Every action attaches an actor, a timestamp, and a payload. You can read it, filter it, and export it to CSV or JSON.

Questions

Honest answers.

Are you certified to a specific standard?+

Not yet. We are a small team and have not pursued formal certification. We follow the controls you see on this page and answer security questionnaires directly. If you need a specific control, write to us and we will tell you the state plainly.

Do you store my source data?+

Only the slices needed for a report. Cached reads expire within a run. Longer term storage is opt in per source and clearly labeled in the connection settings.

Can I rotate a key?+

Any time, from Settings. API keys, webhook secrets, and connection tokens are all rotatable without downtime.

What about deletion?+

Delete a workspace and associated data is removed from primary storage within seven days and from backups on the backup retention cycle.

Questions your security team has?

Talk to us Read the docs